PDPT: Passive DNS Port Test
Monday, July 21, 2008
The Passive DNS Port Test (PDPT) tool acts as a passive DNS monitor to flag resolvers that may be vulnerable to the cache poisoning issue described in CERT VU #800113. Similar to OARC's porttest, this monitor will judge the source port behavior of resolvers based on the standard deviation of observed source ports.
The Passive Approach
Another VU #800113-related testing tool? Of course, we've already seen a number of tools released to help administrators identify and patch vulnerable resolvers: Dan has the DNS Checker tool on his website to allow visitors to test their resolvers. OARC has the porttest service available to test the randomness of a specific resolver using dig. Niels has released a tool to test the randomness of the source ports and query ids of your resolver and an embeddable image to place on a website to test the resolvers of the site's visitors. Jose Avila has released a tool to periodically dump the cache of a resolver and check for potential poisoning.
Most of these existing tools are targeted at testing whether a specific resolver is employing sufficient source port randomization to protect against Dan's forthcoming cache poisoning discovery. However, if you're an administrator for a large network with hundreds of resolvers, an active probing tool may be ineffective for tracking down all offending resolvers. Attempting to scan your entire network for DNS servers that offer recursive resolving services will often result in inaccurate results due to visibility constraints like access control, NAT, and resolver configuration (eg. BIND's allow-recursion configuration parameter).
Hence, the motivation for PDPT. PDPT takes a passive approach to auditing the source port behavior of resolvers on your network. By deploying PDPT near an egress point of your network, it can monitor all outgoing DNS queries, discover recursive resolvers, and report on their source port behavior.
tup ~ # ./pdpt.py -h Usage: pdpt.py [options] Options: -h, --help show this help message and exit -i DEVICE interface to listen for queries on -c COUNT queries to observe before judging a resolver tup ~ # ./pdpt.py -i eth0 -c 300 listening on eth0: udp and dst port 53 Mon Jul 21 01:55:38 2008: 220.127.116.11 is BAD: 300 queries from 1 ports with std dev 0.000000 Mon Jul 21 01:55:45 2008: 18.104.22.168 is GOOD: 300 queries from 300 ports with std dev 15005.263807 ...